diff --git a/routers/web/auth/oauth.go b/routers/web/auth/oauth.go index 8645aedbde..ef122629d9 100644 --- a/routers/web/auth/oauth.go +++ b/routers/web/auth/oauth.go @@ -539,7 +539,15 @@ func buildOIDCEndSessionURL(ctx *context.Context, doer *user_model.User) string // https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout params := endSessionURL.Query() params.Set("client_id", oauth2Cfg.ClientID) - params.Set("post_logout_redirect_uri", httplib.GuessCurrentAppURL(ctx)) + + // AWS Cognito uses "logout_uri" instead of the standard "post_logout_redirect_uri" + redirectURI := httplib.GuessCurrentAppURL(ctx) + if oauth2Cfg.Provider == "cognito" { + params.Set("logout_uri", redirectURI) + } else { + params.Set("post_logout_redirect_uri", redirectURI) + } + endSessionURL.RawQuery = params.Encode() return endSessionURL.String() } diff --git a/services/auth/source/oauth2/providers_cognito.go b/services/auth/source/oauth2/providers_cognito.go new file mode 100644 index 0000000000..ed499e093f --- /dev/null +++ b/services/auth/source/oauth2/providers_cognito.go @@ -0,0 +1,68 @@ +// Copyright 2025 The Gitea Authors. All rights reserved. +// SPDX-License-Identifier: MIT + +package oauth2 + +import ( + "html/template" + + "code.gitea.io/gitea/modules/log" + "code.gitea.io/gitea/modules/setting" + "code.gitea.io/gitea/modules/svg" + + "github.com/markbates/goth" + "github.com/markbates/goth/providers/openidConnect" +) + +// CognitoProvider is a GothProvider for AWS Cognito +type CognitoProvider struct{} + +func (c *CognitoProvider) SupportSSHPublicKey() bool { + return true +} + +// Name provides the technical name for this provider +func (c *CognitoProvider) Name() string { + return "cognito" +} + +// DisplayName returns the friendly name for this provider +func (c *CognitoProvider) DisplayName() string { + return "AWS Cognito" +} + +// IconHTML returns icon HTML for this provider +func (c *CognitoProvider) IconHTML(size int) template.HTML { + return svg.RenderHTML("gitea-openid", size) +} + +// CreateGothProvider creates a GothProvider from this Provider +func (c *CognitoProvider) CreateGothProvider(providerName, callbackURL string, source *Source) (goth.Provider, error) { + scopes := setting.OAuth2Client.OpenIDConnectScopes + if len(scopes) == 0 { + scopes = append(scopes, source.Scopes...) + } + + provider, err := openidConnect.New(source.ClientID, source.ClientSecret, callbackURL, source.OpenIDConnectAutoDiscoveryURL, scopes...) + if err != nil { + log.Warn("Failed to create AWS Cognito Provider with name '%s' with url '%s': %v", providerName, source.OpenIDConnectAutoDiscoveryURL, err) + return nil, err + } + if source.ExternalIDClaim != "" { + // UserIdClaims is a fallback list; goth returns the first non-empty matching claim. + // A single entry is sufficient because the admin explicitly chooses one claim (e.g. "sub" for Cognito). + provider.UserIdClaims = []string{source.ExternalIDClaim} + } + return provider, nil +} + +// CustomURLSettings returns the custom url settings for this provider +func (c *CognitoProvider) CustomURLSettings() *CustomURLSettings { + return nil +} + +var _ GothProvider = &CognitoProvider{} + +func init() { + RegisterGothProvider(&CognitoProvider{}) +} diff --git a/web_src/js/features/admin/common.ts b/web_src/js/features/admin/common.ts index f0c0f5bee6..734c7915e0 100644 --- a/web_src/js/features/admin/common.ts +++ b/web_src/js/features/admin/common.ts @@ -86,6 +86,7 @@ function initAdminAuthentication() { const provider = document.querySelector('#oauth2_provider')!.value; switch (provider) { case 'openidConnect': + case 'cognito': document.querySelector('.open_id_connect_auto_discovery_url input')!.setAttribute('required', 'required'); showElem('.open_id_connect_auto_discovery_url'); showElem('.open_id_connect_external_id_claim');